Why the name "Abacus Project?" 

An abacus is one of the earliest known computing devices and is used to perform all manners of counting and arithmetic.
Since the project focuses on auditing I thought the name to be appropriate and descriptive. 

What is the Abacus Suite of tools comprised of? 

The Abacus Suite consists of the following tools right now: 

Logcheck/LogSentry - One of my original publically distributed tools. This tool is a clone of a program that ships with the
TIS Gauntlet firewall but has been changed in many ways to make it work nicely for normal system auditing. Logcheck will
automatically monitor your system logs and mail security violations to you on a periodic basis. Most people who've used it
think it works very well for it's intended purpose. 

PortSentry - PortSentry is a port scan detector that takes an active stance to shut down attacking hosts while notifying
administrators and provides an easy configuration and startup. Attacking hosts are denied access to your host by dropping
of local routes or adding the host to a TCP Wrappers hosts.deny file, all in real-time. 

HostSentry - HostSentry is a host based intrusion detection tool that performs Login Anomaly Detection (LAD). This tool
allows administrators to spot strange login behavior and quickly respond to compromised accounts and unusual behavior.
HostSentry incorporates a dynamic database and actually "learns" the user login behavior. This behavior is then utilized by
modular signatures to detect unusual events. 


http://www.psionic.com/abacus/



Logcheck Version 1.1

Fast and reliable Unix log file auditing




Logcheck is part of the Abacus Project of security tools. It is a program created to help in the processing of UNIX system
logfiles generated by the various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper and Log
Daemon packages, and the Firewall Toolkit© by Trusted Information Systems Inc.(TIS). 

Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in
e-mail. This program is free to use at any site. Please read the disclaimer before you use any of this software. 

Logcheck supports the following operating systems (and most others not listed here as well). 

       Linux 
       SunOS 
       Solaris 
       HPUX 
       Digital OSF/1 
       FreeBSD 
       BSDI 
       OpenBSD 
       NetBSD 
       Generic (Most variants) 

See a sample Logcheck report here. 

Download the package here. 

Also be sure to join the mailing list to keep up to date on any new happenings. 

PLEASE be sure to download my PGP key and logcheck signature to authenticate this package. 


PortSentry BETA 0.61

Port Scan Detection and Active Defense System


PortSentry is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans
against a target host in real-time. There are other port scan detectors that perform similar detection of scans, but
PortSentry has some unique features that may make it worth looking into: 

       Runs on TCP and UDP sockets to detect port scans against your system. PortSentry is configurable to run on
       multiple sockets at the same time so you only need to start one copy to cover dozens of tripwired services. 

       Stealth scan detection (Linux only right now). PortSentry will now detect SYN/half-open, FIN, NULL, X-MAS
       and oddball packet stealth scans. Four new stealth scan operation modes have been added to greatly increase the
       power of this package. 

       PortSentry will react to a port scan attempt by blocking the host in real-time. This is done through configured
       options of either dropping the local route back to the attacker, using the Linux ipfwadm command, *BSD ipfw
       command, and/or dropping the attacker host IP into a TCP Wrappers host.deny file automatically. 

       PortSentry has an internal state engine to remember hosts that connected previously. This allows the setting of a
       trigger value to prevent false alarms and detect "random" port probing. 

       PortSentry will report all violations to the local or remote syslog daemons indicating the system name, time of
       attack, attacking host IP and the TCP or UDP port a connection attempt was made to. When used in conjunction
       with Logcheck it will provide an alert to administrators through e-mail. 


As with all of the Abacus Project tools it is designed to have an easy configuration and be maintenance free. Put it in your
startup file and forget about it. 

       Read the DISCLAIMER. 
       Download the BETA here. 
       Download the PGP signature here. 
       Download the my PGP key here. 
       Look at the CHANGES file here. 
       Look at the compatibility file here. 
       Look at a sample report (with Logcheck running) here. 

Join the mailing list to keep up to date on new happenings. 


Important Note 

PortSentry has received criticism from various people regarding it's susceptibility to Denial of Service (DoS) attacks
under stealth and UDP modes. I am completely aware of this condition and it is mentioned as a possibility no less than SIX
TIMES in the documentation and config files. In otherwords: 

This is no news flash to me. 

Stealth scan problems are, in my opinion, well known and well documented issues and will not be addressed, with the
possible exception of putting in a feature to detect this nonsense and to temporarily suspend protection. 

The "Classic" TCP mode is not affected by stealth scan false-alarms. Because of this I always recommend using
just standard -tcp mode. This (and -udp) are the only modes available on non-Linux systems. As a result, all BSD
variants are NOT AFFECTED by this problem. 

Thank you for your patience as I update this program. I'm kept very busy with work and can only program this in my
dwindling amount of spare time. If you don't see updates for weeks at a time you can be sure that they are being done, just
slowly. :) 

ATTENTION NON-LINUX USERS 

Stealth scan detection will not be coming to your platform any time soon. The classic modes are still very effective (and are
what I recommend using anyway). Please use these until I find time to update all the sources. 

Why Look For Port Scans? 

A port scan is a symptom of a larger problem coming your way. It is often the pre-cursor for an attack and is a critical piece
of information for properly defending your information resources. Additionally, a system connecting or scanning your host
unsuccessfully allows you to take the information to check on the status of other hosts under your control that maybe
weren't so lucky. 

What kind of scans does it detect? 

PortSentry will detect any connection made to a TCP or UDP port on your host that you tell it to listen to. A configuration
file can be made to have it listen to dozens of ports at once to detect anything from a full-fledged sequential port sweep to
a random port probing. Because it covers the UDP spectrum as well it will alert you to people probing for RPC services
surreptitiously as well as TFTP, SNMP, etc. 

PortSentry also has two (experimental) advanced stealth scan detection modes that greatly increase the detection
capability of the tool. 

As of now PortSentry supports the following modes of operation: 

Classic Mode 

PortSentry will bind to pre-defined TCP and UDP ports to wait for a connection, it will then react to block the host. This is
how version 0.50 and below worked. This is compatible with most UNIX systems out there and the -tcp is the only mode
I recommend using for various reasons described in the documentation. 

Enhanced Stealth Scan Detection Mode (Linux Only) 

PortSentry includes two new modes of operation. Mode one will monitor a list of ports supplied for stealth scans
(SYN/FIN scans) and will then react accordingly. It is very similar to classic mode, except ports are no longer captured
using bind(), instead a raw socket is used to analyze connections. 

Experimental Advanced Stealth Scan Detection Mode (Linux Only) 

Mode Two is what I call "Inverse Port Binding." In this mode PortSentry will first check to see what ports you have
running, it will then remove these ports from monitoring and will begin watching the remaining ports. This is very powerful
and reacts exceedingly fast for port scanners. It also uses very little CPU time. Additionally, it incorporates an active state
check, where protection is dropped for newly bound network ports. This prevents alarms on protocols such as FTP which
often connect back to the client. Once the connection has been torn down, then PortSentry will again start monitoring that
port! 

What stealth scans does it detect? 

Both stealth scan methods react to the most common stealth scan methods available (from tools such as nmap). This
includes SYN scans, FIN scans, standard connect() calls, and will alarm on "unusual" packets (i.e. varying TCP flags,
NULL scans, X-MAS scans) if seen coming into your system.. 

Does it detect random port scanning? 

Yes, PortSentry has an internal engine that will remember hosts that connected to it in the past. Once the user defined
threshold has been crossed it will activate. 



HostSentry 0.02 ALPHA

Host based login anomaly detection and response tool



Important Notice:

This is ALPHA GRADE software. While I feel the software is stable and will not cause problems on any host it is run you
need to be aware of some issues: 

       Some signature modules are incomplete and may be buggy in that they might miss/false alarm in certain instances. 
       This software has only been tested on small scale systems by myself. I, therefore, have no idea how large the
       database will grow on a busy system, although I suspect this won't be a problem. 
       YOU NEED TO READ THE DOCS, AND I MEAN YOU NEED TO READ ALL OF THE DOCS. Don't install
       security software of any type before you understand how and how not to use it. I go to great lengths to make
       informative and detailed documents, do yourself a big favor and take the time to read them. 
       If you get a Python traceback or other odd error message please send it in to me for analysis. Please detail what
       caused the traceback and your system specs. Without this information it makes getting a fix much harder. 
       Realize the program may cause many false alarms the first few days as the database fills with active users. This is
       normal and you shouldn't panic. It should settle down once user entries have stabilized. 

Requirements


HostSentry has been only tested on Linux and OpenBSD. The only requirement for HostSentry is the installation of the
Python programming language. Read the install document as you must re-compile Python to activate the syslog
extension module. 
  

Download

Since many of you don't want to read the web page (but you should read all the docs), here are the download links: 

       HostSentry software is here 
       HostSentry PGP signature is here 
       My PGP key is here 
       The disclaimer is here 


Also check out PortSentry and Logcheck as you probably want to use them too. 

Lastly you should probably join one of the mailing lists that have been setup to keep up to date on new happenings. 

It's late at night, do you know what your users are doing?


Location: Anywhere in the world. 

Date: Tuesday Evening 23:30 hours. 

Home Office: Your Unix system is sitting idle when a connection request comes in to the telnet port. A login prompt is
presented to the guest and it waits patiently for the account information to be entered. An account for one of your remote
sales managers is entered and access is granted to the system. This user, who has never logged in before, would normally
have no idea how to use Unix and certainly has no business on the system this late at night. Too bad nobody is watching. 

Date: Tuesday Morning 09:00 hours. 

Generic Internet Service Provider (ISP): A web server that had been compromised three days prior is sitting on a high
speed datalink that has visibility into the entire ISP backbone. On this server a password sniffer has been running for
almost 48 hours and has grabbed thousands of account usernames and passwords of people using normal Internet services
such as POP, IMAP, FTP, and HTTP. A remote intruder connects to a secret port on the machine from across the planet
and the entire list of snatched accounts is instantly downloaded onto their system. The username and password of your
sales manager is in there too after he used the ISP to dial in and check mail earlier that day. 

Date: Tuesday Evening 23:31 hours. 

Home Office: The person logging in is not who you think they are. They used a few grep commands to pick out interesting
accounts from the sniffer logs and your sales manager was on the top of the list. Maybe they think it will be fun to own your
machines, maybe you have something interesting, or maybe it's just your bad day. It doesn't matter; whoever it is quickly
grabs control of the machine and breaks root access. Several backdoors are installed as well as another password sniffer to
further compromise your network. At this point your computer systems are doomed. 

Why weren't you watching?


HostSentry is the newest addition to the Abacus Project. HostSentry is a host based intrusion detection tool that performs
what is called Login Anomaly Detection (LAD). 

Login Anomaly Detection works by monitoring interactive login sessions to the computer system and spotting unusual
behavior or activity that indicates an intrusion. In the case of HostSentry, it uses a dynamic database and modular
signatures to detect misuse and report or react to the events in real-time. 

The biggest flaw with Unix is not any particular exploitable hole but the fact that it allows interactive access to anyone
that asks. Even with new encrypted tools such as SSH, there is a significant chance that an intruder can still compromise a
user account password in a variety of other fashions (unencrypted POP, re-use of passwords across hosts, unencrypted
sessions sniffed before SSH used, plain old bad passwords, etc.) 

Unix has a rudimentary (albeit not great) method for login accounting and HostSentry attempts to make use of this in an
automated fashion to spot problems before they become big headaches for you. A variety of techniques are used, which are
explained below. 

What HostSentry does.


HostSentry monitors the Unix login accounting records (wtmp/utmp) for user login activity. This activity indicates the
following key data: 
  

       Username 
       Login TTY 
       Login Time 
       Login Location 

This data is entered into a dynamically generated user database that stores the entry permanently for future use.  Some of
the data can be used immediately to spot problems, other times the data needs to be collected for many consecutive logins
to derive meaningful information. In either case, the data can be used by the signature modules to detect problems on the
host. 

What is a signature module?

A signature module in HostSentry is a module that performs one or both of the following: 

       Login processing 
       Logout processing 

During a login, each of the signature modules are run, if they have a useful function to perform, it is executed on the login
and specific actions are taken if a violation is detected. During logout, the same process is run again, this time on the logout
functions. Again, if a useful function is found it is executed and violations are reported as well. 

This dual-mode operation has several benefits: 

       User activity that is suspicious can be spotted immediately on login. 
       User activity that is suspicious and occurred during the login session can be spotted on logout. 
       Modules can perform dual-functions providing backup assurance to each other for login and logout tracking. 

An example of a module that is only active during login is: moduleFirstLogin. This module would run only during the user
login process and only reports if this is the first time this user has logged in. 

An example of a module that is only active during logout is: moduleHistoryTruncated. This module checks the user's
history file on logout to make sure it has not been deleted, linked to /dev/null or other device, and is greater than zero
bytes. 

An example of a module that performs both login and logout functions is: moduleLoginLogout. This module simply writes to
the audit logs that a user has logged in and logged out of the host. 
  

What do all the signature modules do?


The signature modules perform a variety of functions. Because they are modular they can be turned on and off at will, and
the administrator can add custom modules as necessary. Here is the list of modules at this time and brief descriptions of
their functions (the modules not implemented yet state so in the text): 

moduleLoginLogout 

Description: 

This module simply logs whenever any user logs into or out of the system. This is a generic audit trail module designed to
supplement existing logging you may already be doing. 

moduleFirstLogin 

Description: 

Most users have no idea what a Unix shell is let alone how to access and use it. As a result, I always recommend that
you do not give users shell access to ANY system unless they specifically request it or it is necessary for your particular
application to function. 

Because of the above phenomena, it is a significant auditable event when a user who has never logged into a shell before
suddenly does. This may be normal, it may not be normal. The admin needs to decide whether it is OK for Susie the
secretary to be logging in interactively when she can barely type. 

This module's sole purpose is to alert you to first time logins. This module is especially useful for getting a first alert after a
user's password has been sniffed. I'd recommend you pay attention to this module if you have a fairly stagnant user
population as many problems start here. 
  

moduleForeignDomain 

Description: 

Often attackers who compromise a system account with sniffers and such will login from domains that clearly have no
business connecting to your site. Therefore I always recommend that you wrap your system services or protect them
with filters that only let your local domain interact with your host. 

This module's purpose is to look at system logins and look up the remote host domain. If this domain is not listed in the
file: 

moduleForeignDomain.allow 

Then it is classified as "foreign" and you will get an alert. This is especially useful if you run an ISP in the *.com domain and
you find a login from someone in Malaysia (My apologies to the Malaysian users of this tool :) ). 

If you wish to add known good domains to this file, simply pull it into an editor and have at it. This file is processed with
regex so be careful about using restricted characters. 
  

moduleRhostCheck 

Description: 

A user who makes dangerous modifications to their .rhosts file may be up to no good or just ignorant of the security
implications. 

This module will look at a user's .rhosts file on logout and if it contains a wildcard ('+') it will log the event so an admin
can investigate. Of course you should never allow your users to use .rhosts files in any event, they are a horrible risk to
security (many daemons allow you to shut this feature off). I recommend never using the r-services (i.e. rsh, rlogin) on
any host. 

moduleHistoryTruncated 

Description: 

This module will check the user's history file (depending on what shell they are using from /etc/passwd). This will fire an
alarm if one of the following conditions occurs: 

1) The history file for the shell being used does not exist (it may have been erased to cover tracks). 

2) The history file is 0 bytes long (truncated to cover tracks). 

3) The history file is a symbolic link. Commonly linked to /dev/null to prevent logging of commands. This is almost always
an indication of a compromise. 

Right now, it only checks for history files for: bash, csh, and tcsh. I'm not completely familiar with all the shells, so if you
have a history file/shell type to contribute please mail me. 

If you see this module fire you need to check your system for compromise. This is assuming of course the intruder didn't
break root already and stop HostSentry. :) 
  

moduleOddDirnames 

Description: 

The user's home directory contains one or more suspicious directories. Usually hackers will make a local directory named
in an odd way to hide their work. This module will look for a directory name beginning in ".." (exempting of course the real
".."). Common intruder directory names include: 

".. " 
"..." 

etc. 

This module is not totally reliable, as it cannot of course check every permutation. It can help the more common methods
that you'll see beginning hackers or users who are trying to hide something employ. If this module fires, you need to check
the user's directory for the strange entry. 
  

moduleMultipleLogins 

Description: 

A user is logged in from one or more different hosts concurrently. This is a classic sign of an intrusion as user accounts are
shared among hackers. It is not uncommon to see multiple logins from foreign domains which makes multiple signatures
fire off simultaneously. 

Hosts listed in the file: moduleMultipleLogins.allow will never be processed if they are seen in any user login. This is
useful for users who keep a login session from say a terminal at work and then go home to do work concurrently. 

moduleOddLoginTime 

Description: 

The user is logging in at an odd time. 

Not implemented yet. 
  

moduleInvalidUtmp 

Description: 

The user's utmp entry on logout has been altered/missing. 

Not implemented yet. 
  

moduleHistorySuspicious 

Description: 

The user's history file contains suspicious commands. 

Not implemented yet. 
  

moduleNetworkDaemon 

Description: 

The user left a listening network daemon on logout. 

Not implemented yet. 
  

moduleFileExists 

Description: 

The user has a file/directory in their home directory that matches a pre-defined list of banned/monitored files. 

Not implemented yet. 
  
  

What else does it do?


You can add your own modules to suit your tastes.  For example: 

       You can have a module write a message directly to the users screen on login that is time sensitive. 
       You can have a module perform cleanup operations after a user logs out of the host. 
       You can have a module e-mail/page you when a particular user logs in. 

The fact is that since the tool is written in a high level language like Python, it makes code creation, debugging, and
implementation much easier and safer. While it's still possible to make a module that performs dangerous operations, it is
far less likely that this operation will be unintentional on your part (as opposed to using C). There is even a
moduleExample wrapper that you can use to base your code on. 

The user database stores historical data and this data can be used to track and derive metrics for usage on your users. I
plan on releasing a tool to do exactly this, it will even have pretty HTML charts of login activity. 

I have some other ideas too that I don't want to discuss right now.